Conversation
d826dac to
4c59e6f
Compare
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
🌐 Coverage report
|
f217603 to
323d47a
Compare
323d47a to
c33fcd9
Compare
|
/test |
c33fcd9 to
5ad9e27
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
| description: Event timestamp. | ||
| - name: event.module | ||
| type: constant_keyword | ||
| description: Event module |
There was a problem hiding this comment.
This definition is important because it includes the constant_keyword value of ti_cif3. The other definition is not a constant_keyword so this could affect query performance. Also I'm guessing that nothing sets a value for event.module in the _source so without this the field will go away.
There was a problem hiding this comment.
So in general we would want to prefer the non-ECS definition when it's for an override to use constant_keyword. But for everything else I think the preference goes toward retaining the ECS definition and remove the others.
There was a problem hiding this comment.
OK. Will go over them again and check for these and revert the ones that are constant_keyword.
|
PTAL |
What does this PR do?
This fixes a number of duplicated field definitions required to get CI builds to pass. There may be duplicates in other SEI packages that have not been identified. These should be addressed when they are moved to storage format v2.
There are cases where fields are defined in base-fields that could be defined with external reference to the ECS. These have not been changed.
In order to get the juniper_netscreen package to pass, the formatting of MAC addresses was fixed to conform to the ECS.
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots